The issue has been fixed in the master branch, and the community plans to resolve it in the upcoming version 1.12 release scheduled for October-November.
On Mon, Jun 30, 2025 at 11:09 AM Xue Weiming <[email protected]> wrote: > > Severity: low > > Affected versions: > > - Apache EventMesh Runtime (org.apache.eventmesh:eventmesh-runtime) 1.6.0 > through 1.11.0 > > Description: > > CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in > WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse > functionality on the server to read or update internal resources. > Users are recommended to upgrade to version 1.12.0 or use the master branch , > which fixes this issue. > > Credit: > > Mak1r 808 <[email protected]> (reporter) > > References: > > https://eventmesh.apache.org > https://www.cve.org/CVERecord?id=CVE-2024-39954 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] >
